Comment Period Extended for FedRAMP's New Baseline


The "Tailored" baseline was introduced as a possible means to usher in speedier assessments for certain kinds of solutions.

The public and industry have another month to voice comment and feedback regarding the Federal Risk and Authorization Management Program's prospective new “Tailored” baseline following an extension announced Monday.

“After requests from industry and agencies, we have decided to extend our public comment period for FedRAMP Tailored to April 24th,” the FedRAMP office said in a statement. “By providing your thoughts and input on our new baseline, you are helping to ensure that FedRAMP Tailored meets the needs of both agencies and industry. Additionally, we hope this time will spark a deeper dialogue among comments on FedRAMP Tailored.”

The FedRAMP office, which spent much of 2016 making large-scale improvements to how it standardizes cloud computing security requirements for federal agencies, announced its Tailored baseline in February as a possible means to usher in speedier assessments for certain kinds of solutions.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

The initial tailored approach was a collaborative effort among the General Services Administration, the Office of Management Budget, the National Institute of Standards and Technology, and the Joint Authorization Board, which includes representatives from the Homeland Security and Defense departments.

The goal is essentially to tailor “the security method to be commensurate with the risk of breach or hack,” according to GSA’s notice, which suggests low-impact cloud applications (those that help the government do business but do not directly impact mission needs) would be prime targets for FedRAMP Tailored.

The FedRAMP Tailored announcement posits specific criteria cloud providers and agency authorizing officials could agree upon before cloud solution offerings attempt to meet FedRAMP standards. If the criteria are met and all parties agree, the aforementioned cloud solution offering could instead meet the FedRAMP Tailored baseline that “provides a minimum set of security control requirements,” speeding up the process.

However, public comment could prove significant, either by altering the premise of the FedRAMP Tailored approach or changing the initial criteria cloud service offerings would have to meet prior to qualifying for the tailored baseline.